[AIRFLOW-3947] Flash msg for no DAG-level access error

[XD-DENG]

Jira

• https://issues.apache.org/jira/browse/AIRFLOW-3947

Description

• Here are some details about my PR, including screenshots of any UI changes:

In FAB UI, when user clicks a page to which he/she doesn't have access, there will be a "Access is Denied" flash message.

But for the DAG-level access control: when the user clicks a DAG to which he/she doesn't have access, he/she would be redirected to the main page WITHOUT any flash message. This may be confusing to the user.

This PR adds proper flash warning message in the UI for this. Users will see flash message "DAG-level access is denied" when they click on a DAG to which he/she doesn't have "can_dag_view"/"can_dag_edit" permissions.

[XD-DENG]

@feng-tao PTAL.

[codecov-io]

Codecov Report

Merging #4767 into master will increase coverage by <.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #4767      +/-   ##
==========================================
+ Coverage   74.44%   74.45%   +<.01%     
==========================================
  Files         450      450              
  Lines       28973    28974       +1     
==========================================
+ Hits        21570    21572       +2     
+ Misses       7403     7402       -1

Impacted Files	Coverage Δ
airflow/www/decorators.py	74.5% <100%> (+0.5%)	⬆️
airflow/contrib/operators/ssh_operator.py	83.54% <0%> (+1.26%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update bfa81b5...afec11b. Read the comment docs.

[feng-tao]

lgtm, thanks @XD-DENG

[feng-tao]

how about the message change to "User can't access {} DAG.".format(dag_id) ?

[feng-tao]

But when I implemented the feature, the user can't even see the DAGs that he doesn't have permissions from the landing page(or can only see the DAG he can access). Is there something changed here?

[XD-DENG]

Sure. Let me update it.

[XD-DENG]

I don't know. But based on what I tested/observed now, users can see the DAGs to which that he/she doesn't have permissions.

May you check & confirm from your side as well?

[XD-DENG]

What I tested was to delete the two "all_dags" permissions from role "User", then log in as "User" role. I can still see all the DAGs (all are the "built-in" example DAGs though).

[XD-DENG]

@feng-tao , updated as advised. PTAL.

I think it's good to have this flash message, no matter if the user can or can not see the DAGs that he/she doesn't have permissions from the landing page (there may be cases that he/she is given a URL like http://localhost:8080/tree?dag_id=<dag_to_check> while he/she doesn't have access to <dag_to_check>).

[feng-tao]

Yeah, I am afk and will merge tomorrow morning . And could you create a jira for that issue and assign it to me?

[XD-DENG]

Sure, will do that.

[XD-DENG]

But when I implemented the feature, the user can't even see the DAGs that he doesn't have permissions from the landing page(or can only see the DAG he can access). Is there something changed here?

Created https://issues.apache.org/jira/browse/AIRFLOW-3949 to track the issue discussed above.

[XD-DENG]

Hi @feng-tao , I updated the flash message contents to "User can't access DAG {}.".format(dag_id) as advised, but it's causing some issues (https://travis-ci.org/apache/airflow/jobs/498037088#L5528): 5 tests failed because the dag id appears in the html contents while it should not according to the test definition.

It may not be worth changing the test cases for this PR, so I changed the flash msg to "Access is Denied" (1. it's consistent with the default msg in FAB; 2. "DAG-level access is denied" may cause wrong impression that the current user doesn't have dag-level access to any dag).

[feng-tao]

thanks